1. Field of the Invention
The present invention relates generally to data processing systems and in particular to using servers for user authentication. Still more particularly, the present invention relates to a computer implemented method and data processing system for user authentication using Lightweight Directory Access Protocol (LDAP).
2. Description of the Related Art
When a user performs a login on a computer connected to a network, the computer attempts to authenticate the user to determine whether the user is allowed to access the computer, and through the computer, allowed access to a subset of the network. One method to authenticate a user is to use Lightweight Directory Access Protocol (LDAP).
If the operating system of the computer is configured to authenticate using LDAP authentication, then the computer authenticates the user by sending an authentication request to one or more LDAP servers. LDAP servers store user information such as the user's username, password, type of account, and home directory. Each server uses this information to determine whether the user is allowed access to the computer, and through the computer, allowed access to a subset of the network.
A user authentication request contains specific information about the user and about the LDAP server authenticating the user. User details such as the user's username and password are collected from the user when the user tries to login to the computer. Details about the LDAP server are contained in a configuration file in the operating system. When the user authentication request is sent to one or more LDAP servers, the request is successfully processed by a specific LDAP server only if the request contains the parameters specific to that LDAP server. If the LDAP server's parameters vary even slightly from the information in the user authentication request, then the LDAP server will not be able to successfully process the user authentication request and not allow the user to login.
One way to ensure that all LDAP servers successfully process the user authentication request is to configure certain parameters for all the LDAP servers identically. For example, the LDAP servers could be configured so that each LDAP server has the same search base, same distinguished name to bind the server with, same port number, and requires that the user name be specified in the same way. However, configuring all the LDAP servers so that certain parameters are identical is typically difficult to do and often not desirable.
For example, a geographically dispersed organization might be divided into multiple regions, such as North America, Europe, and Asia, with each region having its own regional LDAP server. In this example, each region has a different search base (the location from which the search begins), but the user authentication request can only specify one of the three search bases.
Therefore, the current method of authenticating a user with multiple LDAP servers requires that all the servers be configured identically or else the servers will not authenticate the user. Configuring the servers identically is difficult and may not be desirable.